ExternalVendorCode/AFLplusplus
1
0
Fork 0
mirror of https://github.com/AFLplusplus/AFLplusplus.git synced 2025-06-13 10:38:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

afl-untracer completed

Browse Source
This commit is contained in:
van Hauser
2020-04-30 17:59:59 +02:00
parent a37eca9df5
commit efa9df24c2
10 changed files with 106 additions and 75 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
examples/afl_network_proxy/README.md
View File

@ -20,6 +20,7 @@ e.g.:
```
$ afl-network-server -i 1111 -m 25M -t 1000 -- /bin/target -f @@
```
### on the fuzzing master
Just run afl-fuzz with your normal options, however the target should be
@ -42,3 +43,13 @@ either. Note that also the outgoing interface can be specified with a '%' for
## how to compile and install
`make && sudo make install`
## Future
It would be much faster and more effective if `afl-network-server` does not
send the map data back (64kb or more) but the checksum that `afl-fuzz` would
generate. This change however would make it incompatible with existing
afl spinoffs.
But in the future this will be implemented and supported as a compile option.

23
examples/afl_network_proxy/afl-network-client.c
View File

@ -175,7 +175,7 @@ static void __afl_start_forkserver(void) {
static u32 __afl_next_testcase(u8 *buf, u32 max_len) {
s32 status, res = 0xffffff;
s32 status, res = 0x0fffffff; // res is a dummy pid
/* Wait for parent by reading from the pipe. Abort if read fails. */
if (read(FORKSRV_FD, &status, 4) != 4) return 0;
@ -193,9 +193,7 @@ static u32 __afl_next_testcase(u8 *buf, u32 max_len) {
}
static void __afl_end_testcase(void) {
int status = 0xffffff;
static void __afl_end_testcase(int status) {
if (write(FORKSRV_FD + 1, &status, 4) != 4) exit(1);
@ -273,7 +271,7 @@ int main(int argc, char *argv[]) {
__afl_map_shm();
__afl_start_forkserver();
int i = 1, j;
int i = 1, j, status, ret;
// fprintf(stderr, "Waiting for first testcase\n");
while ((len = __afl_next_testcase(buf, max_len)) > 0) {
@ -281,17 +279,25 @@ int main(int argc, char *argv[]) {
if (send(s, &len, 4, 0) != 4) PFATAL("sending size data %d failed", len);
if (send(s, buf, len, 0) != len) PFATAL("sending test data failed");
int received = 0, ret;
int received = 0;
while (received < 4 &&
(ret = recv(s, &status + received, 4 - received, 0)) > 0)
received += ret;
if (received != 4)
FATAL("did not receive waitpid data (%d, %d)", received, ret);
// fprintf(stderr, "Received status\n");
int received = 0;
while (received < __afl_map_size &&
(ret = recv(s, __afl_area_ptr + received, __afl_map_size - received,
0)) > 0)
received += ret;
if (received != __afl_map_size)
FATAL("did not receive valid data (%d, %d)", received, ret);
FATAL("did not receive coverage data (%d, %d)", received, ret);
// fprintf(stderr, "Received coverage\n");
/* report the test case is done and wait for the next */
__afl_end_testcase();
__afl_end_testcase(status);
// fprintf(stderr, "Waiting for next testcase %d\n", ++i);
}
@ -299,4 +305,3 @@ int main(int argc, char *argv[]) {
return 0;
}

2
examples/afl_network_proxy/afl-network-server.c
View File

@ -579,6 +579,8 @@ int main(int argc, char **argv_orig, char **envp) {
// fprintf(stderr, "received %u\n", in_len);
run_target(fsrv, use_argv, in_data, in_len, 1);
if (send(s, fsrv->child_status, 4, 0) != 4)
FATAL("could not send waitpid data");
if (send(s, fsrv->trace_bits, fsrv->map_size, 0) != fsrv->map_size)
FATAL("could not send coverage data");
// fprintf(stderr, "sent result\n");